Notice about macOS Catalina and op

cohix
cohix
1Password Alumni
edited November 2019 in CLI

With macOS Catalina (10.15), Apple introduced new Gatekeeper functionality to check all programs for notarization before allowing them to run. This means that all developers are required to submit their software to Apple before release such that it can be scanned for malware and verified as legitimate.

op is notarized as of version 0.8.0, any previous versions will not work on macOS Catalina unless run using the op Docker image. Please update to 0.8.0 and install via the .pkg installer to use op on macOS.

Happy scripting!

Comments

  • kmiracle
    kmiracle
    Community Member

    Any idea how long this will take so I can upgrade to macOS Catalina and still use my 1password membership? I clicked on the link above and have no clue what a Docker Container is or how to use this !!!

  • kmiracle
    kmiracle
    Community Member

    I forgot to mention that I use 1Password7 ....1Password 7 Version 7.3.2 (70302004) from the 1Password Store

  • cohix
    cohix
    1Password Alumni

    @kmiracle I think there is a bit of confusion, this applies to the op command-line tool, not 1Password for Mac. Our Mac app works well in Catalina and is already notarized. The Mac distribution of the op tool is the only thing affected by this.

  • kmiracle
    kmiracle
    Community Member

    your correct it was confusing since I could find no information other than this one about the op and now I do not know what that is. I thought op just meant one password.

  • cohix
    cohix
    1Password Alumni

    No, not in this case :)

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited October 2019

    In case it helps you or anyone else, op is the actual command to run the 1Password command line app, which is the subject of this forum category. Cheers! :) :+1:

  • glyph
    glyph
    Community Member

    There are two other possible workarounds for those stuck without a working op command for the moment:

    spctl --add `which op`
    

    which does more or less the same thing that Finder does when you right-click a non-notarized / unsigned binary and click 'open' in the dialog that comes up, or this:

    xattr -d com.apple.quarantine `which op`
    

    which ... effectively tells macOS, "download? what download? I found this binary on my disk fully formed, maybe I compiled it myself, you don't need to protect me from it".

    I'll definitely feel better when the binary is just notarized though :-).

  • @glyph,

    while its possible to submit command line binaries to apple for notarization analysis, its not actually possible to staple the resulting notary information to the command line tool itself.

  • glyph
    glyph
    Community Member

    @rudy my understanding is that stapling is just to facilitate offline verification , and as long as the Mac in question is internet-connected at first run time, it’ll download and cache the notarization anyway.

    To that end, you can staple to a pkg file: https://scriptingosx.com/2019/09/notarize-a-command-line-tool/ which … I’m not sure of the mechanics here? Maybe it just sideloads the notarization blob into the system policy list? But it’s a supported workflow, somehow.

  • zahanm
    zahanm
    Community Member
    edited November 2019

    @glyph thanks for the pointers! Removing the attribute (xattr) worked for me.
    I don't think the spctl command you listed works though. Before adding the rule to allow it, this is the --assess output:


    After adding a rule, it still refuses to run. --assess output:


    Removing the com.apple.quarantine attribute gets it working again though.

  • @zahanm,

    Those results for spctl make sense, as the op that you currently have isn't codesigned.

  • cohix
    cohix
    1Password Alumni

    @kmiracle @glyph @zahanm As of version 0.8, which was released just moments ago, op is now notarized! Please try it out and let us know how it goes.

  • glyph
    glyph
    Community Member

    Thank you! (My minor update to the spctl debacle is that you have to do a thing in System Preferences manually to allow it after you've done --add, I'm not sure the command-line synonym for that. But this is no longer necessary now that it's notarized :))

    @cohix I have some personal interest in how such a thing is accomplished - would you be willing to explain how the process was done? Does the binary somehow include the stapled notarization ticket, do you have to be online the first time you run it?

  • cohix
    cohix
    1Password Alumni

    @glyph Absolutely! We built a new CD job that builds the op binary with an embedded Info.plist file, then uses packagesbuild to bundle it into a .pkg file. We then sign it with our developer certificate, zip it up, and upload it to the notary service. Our wonderful Apple dev team (shout out @rudy for all his knowledge) created a great script that does the zipping and uploading, and then polls the notary service until the job is complete, downloads the ticket, and staples it to the .pkg (which recursively staples the binary itself, iirc). That gets uploaded to our app-updates server where it's delivered to you fine folk :)

This discussion has been closed.